Guido Bertoni3, Joan Daemen2, Seth Hoffert, Michaël Peeters1, Gilles Van Assche1 and Ronny Van Keer1
1STMicroelectronics - 2Radboud University - 3Security Pattern
Ketje is an authenticated encryption scheme based on Keccak-p. It takes as input a secret key and a nonce, then some associated data (or metadata) that are authenticated but not encrypted and finally some plaintext. It produces a cryptogram comprising the ciphertext and a tag authenticating both the metadata and the plaintext. The recipient holding the same secret key can decrypt the cryptogram and check whether it is authentic.
Ketje supports also the concept of sessions. Without having to input the key again and a new nonce, the communicating parties can keep on exchanging metadata-plaintext pairs. Each time, the tag authenticates the complete exchange of messages so far.
Ketje Jr and Ketje Sr aim at compact implementations in constrained environments, whereas Ketje Minor and Ketje Major are research ciphers that aim at high speed.
Synopsis | The Ketje authenticated encryption scheme | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Designed by | Guido Bertoni, Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer | |||||||||||||||
Implements | An authenticated encryption scheme with associated data and support for sessions | |||||||||||||||
Construction | The MonkeyWrap authenticated encryption mode on top of the MonkeyDuplex construction | |||||||||||||||
Primitive | The Keccak-p[b, nr] permutations, with a twist | |||||||||||||||
Parameterized by | The width of the permutation b and by the block size ρ | |||||||||||||||
Instances |
| |||||||||||||||
Status | Third-round candidate in the CAESAR competition |
We define and document Ketje in the Ketje CAESAR submission v2.0.
The reference implementation of Ketje v2 is part of Keccak Tools. Further implementations can be found in the Keccak Code Package.